Conventionally, encryption policy for a removable media item (e.g., tape cartridge) has been applied at a high level by an application. This high level control has provided users with little, if any, control over whether a media item is encrypted without involving the application. Furthermore, it has typically been practically impossible to determine a tape encryption policy or a tape encryption state (e.g., encrypted, not encrypted) by looking at or otherwise physically examining a removable media item (e.g., tape cartridge) without placing the media item in a drive. While a tape drive is mentioned, one skilled in the art will appreciate that similar issues exist for other removable media (e.g., compact disk (CD), solid state disk (SSD)).
Tape drives can be configured to encrypt data written to a tape. Tape drives can also be configured to decrypt data read from a tape. The encrypting and decrypting can be performed at the hardware level of the tape drive. For example, an LTO-4 tape drive includes hardware based encryption/decryption capability in the tape drive itself. However, tape drives do not simply decide on their own to encrypt or decrypt. Encrypting and decrypting are controlled by policies and parameters. The policies control when a tape drive will encrypt and decrypt and how a tape drive will encrypt and decrypt (e.g., encryption algorithm). The parameters include, for example, an encryption key.
Conventionally, policy has been established by an external entity (e.g., tape library) as configured by a user. Conventionally, the external entity has interacted with a key manager. The external entity plus key manager model has created both challenges and limitations with respect to tape encryption management. Once again, while a tape drive is mentioned, one skilled in the art will appreciate that the external entity plus key manager model has created challenges for other removable media.